Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jamesw
jamesw
Getting noticed
Member since Oct 12, 2018
9 hours ago
Community Record
40
Posts
4
Kudos
0
Solutions
Badges
08-16-2023
02:26 AM
We need to authenticate many users via an external captive portal, but without RADIUS/LDAP etc, so using Meraki Cloud Authentication: Is there a limit, on how many devices we can have authenticate against a pre-configured Meraki guest user (configured in Network > Users like so). We have enabled the "Allow simultaneous logins" option, but nowhere is a limit mentioned. We don't need to know, nor care about the user's username (we've already validated them during the captive portal phase), we're merely using this pre-configured username/password in order to authenticate them at the end of the captive portal journey and get them online. The network could have upwards of 10,000 users per day using this username/password. (The user never knows about this user/pass, its all done from our server side via the login_url as part of the normal external captive portal flow). We can't use the splash with "click through" as we're authenticating the user from the server side API call (once they hit our external captive portal etc), not from the users browser by way of redirects, and click through relies on the p_splash_session cookie which the external server does not have access to as it's set on the nxx.network-auth.com URL initially. Thanks
... View more
08-13-2023
02:00 AM
Thanks. As per above then, is there a limit of clients? Meraki's group policy page says 3,000 for manually applied, however I've been able to add 70,000 without error...
... View more
08-12-2023
04:06 PM
I don't follow. 1. You create a template and add all your networks to it. 2. You create a group policy inside the template. 3. You assign clients to the group policy. As the group policy is mapped to the template, isn't any client added to the group policy mapped to all networks? Are you saying that despite having a group policy at template level, you still have to go into each network separately and add a client to the group policy, for the same MAC?
... View more
08-12-2023
03:58 PM
So if I apply all networks in the org to a template, and add the clients to a group policy defined on the template, the clients will get assigned the policy on ALL networks mapped to the template?
... View more
08-12-2023
01:46 PM
Thanks @RaphaelL and @alemabrahao. I thought as much. I read the same about the 3,000 limit for group policies. I've tested, via API, adding tends of thousands of client MACs and it's accepted it just fine, so now not so sure: If using network templates, can you do group policies within them? Thanks
... View more
08-12-2023
09:33 AM
If you have 5000 networks, and you want to apply a custom group policy to some clients across your org, how can this be achieved without creating 5000 group policies (one per network) and mapping the client to each network's created group policy? Basically, we are looking to assign some clients a particular policy across the estate. Also, how many clients can be added to a group policy? We need potentially 100k+. Thanks
... View more
05-22-2023
12:33 AM
Yeah, got a ticket open but their support not yet finding anything, even though it has to be 100% the Meraki RADIUS cloud as it is that which sends the RADIUS packets out (not the AP or from customer premise) It's not the specific RADIUS proxy option, but when you enable splash page with RADIUS authentication, all RADIUS traffic comes from the Meraki cloud
... View more
05-19-2023
01:36 PM
Since 12/13 April we've seen an issue across our customer estate (both In Europe and Americas) where the Meraki Cloud RADIUS client has stopped sending us Accounting Interim and Stop packets. We do get the Start packet, however. This is for captive portal authentications (not WPA2-Enterprise) This causes a problem because the Interim and Stop packets are needed to read the attributes that include how long the session length was, and how much download/upload usage for the session etc. The Start packet looks like: User-Name = "abc123"
NAS-IP-Address = 209.206.50.44
NAS-Port = 0
Service-Type = Login-User
Framed-IP-Address = 10.3.8.112
Called-Station-Id = "E4-55-A8-AA-BB-CC:ssid"
Calling-Station-Id = "A6-96-DA-AA-BB-CC"
NAS-Identifier = "Meraki Cloud Controller RADIUS client"
NAS-Port-Type = Wireless-802.11
Acct-Status-Type = Start
Acct-Delay-Time = 0
Acct-Session-Id = "825284631727869728"
Event-Timestamp = "May 19 2023 20:33:37 UTC"
NAS-Port-Id = "Wireless-802.11"
Meraki-Device-Name = "AP-Name-Here"
Authenticator-Field = 0x8c8d2982acee4ebbc1bd4c877dab3776 Normally, once the Start packet occurs, Interim updates are sent every five minutes until such a time when the session ends, then a Stop packet is sent. We're not receiving these packets at all, across hundreds of different customers. We're performed a raw packet capture on our RADIUS server(s) and the packet doesn't even reach us, so the Meraki Cloud is not sending them. Anyone else seeing this behaviour? Thanks, James
... View more
08-14-2022
05:33 PM
Could it be going crazy if there is a PoE power issue from the connected switch, or is LLDP just broadcasting it's state?
... View more
08-14-2022
04:38 PM
Thanks, but not seeing any other broadcast traffic being duplicated or similar. The Meraki's are on their own PoE switch, and if I disable the uplink port to our main switch the traffic instantly drops from 5MB/s to nothing (of course), but as soon as I enable the port again it goes mental. Additionally, if I run the packet capture on the Meraki dashboard, selecting the AP's, this also shows the Meraki sending all of the LLDP broadcasts, so this is definitely coming from the AP itself.
... View more
08-14-2022
03:18 PM
I have three MR33's in an office and between them I'm seeing over 61,000 LLDP broadcasts in 40 seconds, all the same stuff. It's causing over 5MB/s on the switch ports they are connected to and because it's broadcast traffic this is going through all my switches/router. What are they doing? How can I disable LLDP on the AP's so they stop spamming? Thanks!
... View more
06-09-2021
01:38 AM
So kind of got this working with the mac based control and click through, but unfortunately it doesn't send Accounting Interim packets (only Start and Stop) so that's not great for what we need. When using "Sign on with my RADIUS server" it does send Interim updates as it has for many years. Hmm...
... View more
06-04-2021
12:48 AM
Thanks Rodrigo. This is how most vendors work - if MAC authentication fails (Access-Reject), the user will be redirected to the captive portal page for authentication. If MAC authentication succeeds (Access-Accept) the user is straight online, no captive portal redirect. I understand Meraki do it slightly differently, in that you must always send an Access-Accept else the client will not be able to even join the WLAN, but we still need some way to redirect them to the captive portal so they can register/login etc
... View more
05-31-2021
10:56 AM
Interested to know more on what you use the "Called-Station-Id" for when using the proxy, and why the format can't be changed? 🙂 Thanks
... View more
05-27-2021
09:19 PM
I really don't understand this decision. Why introduce a feature to make it more flexible, then take it away? Is there a technical reason why Meraki can't allow a customised Called-Station-Id format? This means your systems do not match and have no parity. This will mean customers are not able to use the proxy, because it still uses the BSSID as the Called-Station-Id which is not useful. In your previous reply, you state "The change from BSSID to MAC address does now align with the rest of the industry" - but not if using proxy 🤔
... View more
05-27-2021
10:25 AM
What do you mean, you don't support it because you use it? 🙂 If a packet is being proxied from an AP, it should honour the same going through the proxy. If you can customise the NAS-ID when going through the proxy, what's the problem doing the same for Called-Station-Id? This effectively means the proxy is useless as it can't be set to what it needs to be...
... View more
05-24-2021
02:01 PM
We could, but it goes against the reason we exists, because customers don't want to install/set up anything that they don't already have. So, we can generally work with any wireless kit just by running our captive portal and RADIUs in the cloud, at no cost or extra software/hardware installed on the customers site.
... View more
05-24-2021
01:24 PM
I see your point, but the problem is we are not a "customer" but a service provider. We don't own the kit, or install it, or have access to the setup on site. We provide a cloud captive portal/authentication/analytics service, so, it's not easy to ask our customers to configure site-so-site to us as we have thousands of Meraki customers around the globe using our solution and for now, we still can't support MAC authentication with captive portal bypass.
... View more
05-24-2021
01:21 PM
Hi Rodrigo Correct, on the Access Control page. This is what I have set: Association requirements: MAC-based access control Splash page: None or Click-through Scroll down to the RADIUS options and set: RADIUS CoA support: Unchecked RADIUS proxy: Checked You'll see when you enable the RADIUS proxy option, the new Called-Station-Id option disappears but the NAS-ID option is there! Thanks
... View more
05-24-2021
01:15 PM
Thanks for the reply! We're not using any kind of strange design, nowhere in the documentation does it mention or indicate that you must use a local, on-site based ISE server. Everything is moving off-site to the cloud, including the way Meraki has worked from day one - they are a cloud controller and RADIUS server, with just the AP's on site. In reality, we're doing no different by hosting our RADIUS server in the cloud, it's just that there seems to be an expectation that an ISE server locally which isn't practical when you are a large service provider. Therefore, I feel Meraki should make it possible to proxy this traffic/feature or at least some API service so that we can send the CoA to the Meraki cloud, which can then send the signal direct to the relevant AP, without any firewall/port forward mess. The problem actually arises because Meraki are the only vendor I know that do not support MAC authentication with proper captive portal bypass. They do not allow you to select both MAC-based access control along with splash sign on via RADIUS server. So, their recommendation is to use the ISE option, which, in its current state, is one step forward and two steps back 🙂
... View more
05-24-2021
12:02 PM
Thanks Rodrigo! This is also a similar query - wondering if you might be able to answer? https://community.meraki.com/t5/Wireless-LAN/Mac-based-authentication-with-ISE-cloud-RADIUS-server-and-CoA/m-p/119165#M17008 Thanks James
... View more
05-24-2021
02:01 AM
We're testing out the following: Association requirements: MAC-based access control Splash page: Cisco Identity Services Engine (ISE) Authentication We run a cloud RADIUS server which acts as the ISE in terms of the RADIUS handling. So the flow currently works like this: Client associates to SSID Local AP sends Access-Request to configured RADIUS cloud server IP Our RADIUS replies with an Access-Accept and a Cisco-AVPair redirect url Client is redirected to our splash page URL and registers etc All good up until this point, but the problem is that to get the user online, we have to send a CoA request back to the local AP from our cloud RADIUS. Whilst we can open the firewall and perform a port forward to the AP, this only works if there is a single AP. More than one AP, and the solution falls over because you can't externally access all the different AP's using a single port forward. Why can't Meraki allow the RADIUS proxy option to work with this setup? For true captive portal authentications we can send a CoA back to the Meraki cloud which in turn authenticates the user on the local AP. But for ISE, it disables the RADIUS proxy option. Not everyone runs a local RADIUS server! Does anyone know an alternative way of achieving MAC authentication AND external captive portal fall-back? Thanks J
... View more
05-24-2021
12:46 AM
1 Kudo
Thanks, can you elaborate any further? Do we need to set up a new SSID in Meraki and use the same VLAN ID, or can it use the same SSID? What SSID should we configure the splash page settings/RADIUs for in case of the MAC authentication being rejected? It seems a strange way of doing it...
... View more
05-21-2021
03:27 PM
Something I noticed... when you enable the RADIUS proxy option, the setting for the Called-Station-Id format disappears, but the NAS-ID format option is there.. this seems a little odd and I don't understand why you still can't set both? Without proxy: With proxy: Bug, or something else? Thanks J
... View more
05-21-2021
07:24 AM
In the UI, you can select: Association: MAC-based access control Splash page: Click through It accepts this and all is okay (I know you can't use sign on with RADIUS and MAC-based access control together) However, how does this work in practice? I would expect, that is the RADIUS server replies with an Access-Reject, the end user will then be redirected to the configured click through splash URL, and if Access-Accept, the end user will be straight online without any splash authentication required. But, it seems to not work like this. If you do Access-Reject, it doesn't allow the device even to associate. If you do Access-Accept, the user is connected with no click through splash redirect and has full Internet. So, how do you actually get it to redirect someone to the splash page? Thanks J
... View more
My Top Kudoed Posts
